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66 CobIT 4.0 is a significant Meeting new regulatory compliance requirements can be a struggle for any 


improvement on the third 
release, making it more 
relevant, filling some gaps 

and adding clarity. Most impor- 
tantly, it better aligns with good 
and best practices in the man- 
agement of IT and so increases 
the possibility that its use will 
result in a better-managed IT 
environment and, specifically, 
improve risk management. 


Therefore, we continue to recom- 


mend that enterprises use it to 
challenge their established IT 
governance procedures and 
to improve the controls they 
have in place. 23 

CobIT 4.0 Is а Good Step Forward 


Simon Mingay 
29 December 2005 


company. The concerns about "where do | start?" and “can | leverage existing 
processes to meet these new requirements?" are obvious questions with not-so- 
obvious answers. Guidance provided by the Public Company Accounting 
Oversight Board (PCAOB) is embedded in long and complex documents known 
as "Audit Standards"; unless you are a seasoned audit professional, much of this 
guidance can easily be misinterpreted or misunderstood. Section 404 of the 
Sarbanes-Oxley Act of 2002 (SOX) requires the management of public companies 
to assess the effectiveness of an organization's internal control over financial 
reporting and annually report the result of that assessment. In order to satisfy this 
requirement, SOX mandates that affected organizations use a recognized internal 
control framework. Actually, it makes specific reference to the Committee of the 
Sponsoring Organizations of the Treadway Commission (COSO), which is 
accepted by many enterprises as the “standard” internal control framework. Тһе 
“CobiT” Control framework has basically become the standard for IT general 
computing controls (GCC's) and is mapped back to the five focus areas of IT 
governance and respective COSO control domains. 


The Sarbanes-Oxley Act of 2002 has fundamentally changed the business and 
regulatory landscape for all companies publically traded in the US. SOX is 
intended to instill confidence back into the investor community after several 
corporate scandals resulted in the loss of billions of dollars in invested capital. 
SOX does this by increasing corporate governance requirements through 
measures that will strengthen internal checks and balances and ultimately, 
provide transparency, as well as elevated corporate accountability. It is important 
to emphasize that section 404 does not require senior management and business 
process owners to merely establish and maintain an adequate internal control 
structure, but also to assess its effectiveness on an annual basis. Most would 
agree that the reliability of financial reporting is heavily dependent on a well- 
controlled and secure IT environment. Accordingly, organizations must consider 
addressing IT controls in a financial reporting context. The QualysGuard Vulnerability 
Management Service maps to many of these controls. 


CobiT, administered by the Information Systems Audit and Control Association 
(ISACA), is a high-level yet comprehensive framework for managing risk and 
control over IT assets, comprising four domains, 34 IT processes and 318 
detailed control objectives. Unlike COSO, CobiT includes controls that address 
operational and compliance objectives, but only those related to financial 
reporting have been considered in the development of this document. CobiT 
provides an actionable framework by which an entity can achieve compliance 
with SOX, when this framework is strategically implemented, to reduce identified 
risk areas to acceptable levels. 


The following tables outline some specific activities in CobiT that map to the 
QualysGuard Vulnerability Management service benefits for each section. In 
support of the items below, “РОЗ” represents one of CobiT's 34 IT processes. 
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и ІТ strategic planning и wv и и 
и Information architecture и и 
Determine technological direction 
и IT organization relationships и и 
Manage the ІТ investment 
и Communication of management aims and direction и v м 
и Management of human resources и и 
и Compliance with external requirements “ и 
и Assessment of risks и 
Manage projects 
и Management of quality и ии wv 
Acquire апа Implement (Program Development and Program Change) 
Identify automated solutions 
v/ Acquire or develop application software и 
и | Acquire technology infrastructure и 
џ | Develop and maintain policies and procedures v wv 
w | Install & test application software & technology infrastructure и 
v/ | Manage changes и и 
Deliver апа Support (Computer Operations апа Access їо Programs апа Data) 
и’ | Define and manage service levels и и и 
и | Manage third-party services и v wv v 
v Manage performance and capacity v v 
Ensure continuous service 
w/ | Ensure systems security им wv wv 
Identify and allocate costs 
v Educate and train users и и 
Assist and advise customers 
VW | Manage the configuration v wv 
џ | Manage problems and incidents v v v 
м^ Manage data му wv 
и Manage facilities и 
џ | Manage operations и wv 
и Monitoring и wv 
v Adequacy of internal controls и 
и Independent assurance и и 
и Internal audit и 
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CobIT Domain - Planning and Organization 
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РОЗ — Determine Technological Direction | QualysGuard can help to determine the needs for 
other additional products in the security architecture. 
P04 - Define the IT organization and QualysGuard can be used to define the relationships 
relationships between security teams (VM to Desktop Support) и и 
through the use of the remediation capabilities. 
P05 - Manage the IT Investment Trending information from QualysGuard can help to 
determine the need for IT investment (system and/or 
software upgrades) over time. 
P08 - Insure Compliance with external QualysGuard reports can assist organizations in 
organizations meeting compliance with SOX, GLBA, and HIPAA 
among other regulations by discovering devices и и 
іп the IT environment that may be vulnerable ог 
improperly configured. 
Р09 - Assess Risks QualysGuard provides customers a method of 
assessing risks within their environment based on 
CVSS and by allowing each customer to create an и 
individualized value matrix for devices in the 
architecture. 
CobIT Domain - Acquire and Implement 
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Al4 — Develop and Maintain procedures | QualysGuard introduces a structure (our six-step 
approach) for the management of vulnerabilities, 
from discovery to remediation. These steps are the 
groundwork for needed for the creation of 
organizational IT processes and procedures. 

Ald - Install and accredit systems The QualysGuard solution allows for the creation 
of a “gold standard” for the security of a particular 
host. This can be used to accredit a system’s 
configuration prior to deployment. 

А16 — Manage Changes The remediation features in the QualysGuard solution 
can be used for the management of changes, such 
as patches, to update or reconfigure network- or 
user-based IT resources. 
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CobIT Domain - Delivery & Support 
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DS5 - Ensure System Security QualysGuard qualifies the classifications of what 
systems’ “vulnerabilities,” include, to help to ensure и и и 
understanding of the interrelationships in security 
remediation. 
DS9 - Manage the Configuration QualysGuard scans can indicate that hosts may not 
be configured correctly, which may also result in a и и 


reduced level of system security. 

DS10 - Manage Problems and Incidents | QualysGuard’s built-in ticket remediation system 
can assist in the management of problems and root и и и 
cause analysis of security incidents. 


CobIT Domain - Monitoring 
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ME2 — Monitor and Evaluate Internal QualysGuard provides an automated method of 
Control testing all technically defined controls. Companies 
impacted by SOX compliance are required to perform 
eriodic self-assessments related to the effective- 
P мм v 


ness of internal controls placed in Production. 
Taking into consideration that this is an ongoing 
process, QualysGuard can greatly reduce the cost 
and human resource overhead associated. 

МЕЗ - Ensure Compliance with External | QualysGuard Vulnerability Management and Policy 
Requirements Compliance reports can be used as evidentiary 
support for meeting regulatory and contractual 
requirements and expectations. 


In addition to its use as a vulnerability management and remediation tool, QualysGuard maps to many of the areas of 
the COSO framework and can be used to demonstrate compliance with Sarbanes-Oxley Act of 2002, Section 404. 


For those companies using the CobiT framework for overall IT governance, QualysGuard functionality provides a 
method of meeting specific CobiT governance requirements. The table below outlines the QualysGuard capabilities 
that map to the specific control objectives. 
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Сор!Т 4.0 Controls 


Сор!Т Sub-Control 


QualysGuard Capabilities 


PO 9 Assess and Manage 
IT Risks 


PO9.3 Event Identification 


Identifies vulnerabilities. 

Asses Risk - support for CVSS. 
Identifies device misconfigurations. 
Information available on demand. 


Al6 Manage Changes 


Al6.4 Change Status Tracking 
and Reporting 


The incorporation of a remediation management system within QualysGuard allows for 
tracking of changes to systems. 

Action logs available for viewing and (with QG 4.7) download for tracking changes to 
QualysGuard Activities. 

Scan and report notifications available via email. 


Al6.5 Change Closure and 
Documentation 


Action logs available for viewing and (with QG 4.7) download. 
Multi role support segregation of duties (SoD). 
Scan and report notifications available via email. 


DS2 Manage Third-party 
Services 


DS2.4 Supplier Performance 
Monitoring 


Many customers have purchased Qualys to monitor third party service providers. 
Audits SLA compliance for those who've outsourced IT infrastructure patching mainte- 
nance. 


DS5 Ensure Systems 
Security 


DS5.4 User Account 
Management 


QualysGuard can assist in meeting this requirement by auditing for unused accounts 
(QID 105234). 
QualysGuard can provide audits of user rights and privileges. 


DS5.5 Security Testing, 
Surveillance and Monitoring 


Automated QualysGuard scans using credentialed access can test for compliance and 
accreditation of systems. This can be accomplished through the use of specific 
templates containing level 1 and 2 vulnerabilities. 


DS5.6 Security Incident 
Definition 


QualysGuard threat, impact and solution data is well defined as part of Qualys reporting. 
CVSS is supported for indicating impact level. 


DS5.9 Malicious Software 
Prevention, Detection and 
Correction 


Report templates containing specific Qualys QIDs represent and identify Trojans, 
back-doors, key loggers and rootkits on systems and can be used as part of an over- 
all strategy for DS5.9. 


DS8 Manage Service Desk 
and Incidents 


DS8.3 Incident Escalation 
DS8.4 Incident Closure 
DS8.5 Trend Analysis 


QualysGuard Remediation specifically supports all DS8 controls allowing for 
vulnerability remediation assignment and control. 

Reports are available to support remediation trend analysis. 

Export to third part ticketing system is supported. 


DS9 Manage the 
Configuration 


DS9.3 Configuration Integrity 
Review 


Specific Qualys QIDs represent system configuration detections that include software 
inventories. These can be compared to user defined baselines. 
QualysGuard can perform system software audits. 


DS10 Manage Problems 


DS10.1 Identification and 
Classification of Problems 
DS10.2 Problem Tracking and 
Resolution 

DS10.3 Problem Closure 
DS10.4 Integration of Change, 
Configuration and Problem 
Management 


QualysGuard Remediation specifically supports all DS10 controls allowing for vulner- 
ability remediation assignment and control. 

Reports are available to support remediation trend analysis. 

Export to third part ticketing system is supported. 


ME2 Monitor and Evaluate 
Internal Control 


ME2.1 Monitoring of Internal 
Control Framework 
ME2.1 Monitoring of Internal 
Control Framework 


QualysGuard supports vulnerability trending and benchmarking reports to control the 
IT environment. 

QualysGuard supports exception control through the ignore vulnerability function on a 
host-by host basis. This information can be made available across users. 
QualysGuard provides subscription based timely security notifications about emer- 
gency threat detections. 


ME2.7 Remedial Actions 


Qualys supports remediation change management and process control. 
Remediation can be assigned specific individuals. 
Tracking reports are available. 


MES Ensure Regulatory 
Compliance 


ME3.3 Evaluation of 
Compliance With Regulatory 
Requirements 


Information gathered through QualysGuard scans can assist with compliance with 
many regulatory compliances. 

User access rights to files and folders, File permissions, Patches, Malicious Software, 
Host event log settings, and other security setting information is relevant for HIPAA, 
Sarbanes-Oxley, NIST 800-53, and other regulatory compliances. 
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About Qualys 

Qualys, Inc. is the leading provider of on demand IT security risk and 
compliance management solutions — delivered as a service. Qualys’ Software- 
as-a-Service solutions are deployed in a matter of hours anywhere in the world, 
providing customers an immediate and continuous view of their security and 
compliance postures. The QualysGuard® service is used today by more than 
3,500 organizations in 85 countries, including 35 of the Fortune Global 100 and 
performs more than 200 million IP audits per year. Qualys has the largest 
vulnerability management deployment in the world at a Fortune Global 50 
company. Qualys has established strategic agreements with leading managed 
service providers and consulting organizations including BT, Etisalat, Fujitsu, 
IBM, I(TS)2, LAC, SecureWorks, Symantec, TELUS and VeriSign. 


For more information, please visit www.qualys.com. 
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